Share this story

The Federal Trade Commission will expand its oversight of Uber following the disclosure of its improper withholding of a 2016 security breach that exposed sensitive data for more than 25 million users.

The ride-hailing service was already bound to an agreement reached last year requiring it to undergo privacy audits every two years for the next two decades. The settlement also required Uber to implement a comprehensive privacy program that protected the personal information the company collected.

The 2017 agreement settled FTC charges that Uber misrepresented the level of access its employees had to user data and the steps it took to secure that data. Following reports in 2014 that Uber employees used an administrative tool internally dubbed God-view to monitor active Uber cars and customers—and sometimes observed specific users' locations for amusement—Uber promised to use a newly created system to monitor and restrict employee access to such information. Last year's FTC charges stemmed, in part, from Uber ending use of that system less than a year after it was put in place.

Failure to disclose new breach

Further Reading

Thursday's expansion of that settlement, the FTC said, came after it learned Uber failed to disclose a 2016 breach that exposed 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver's license numbers of US Uber drivers and riders. The FTC said Uber learned of the breach in November 2016 but didn't disclose it to consumers or the FTC for another 12 months. Uber also paid hackers who exploited the vulnerability $100,000 and claimed the payment was made through a bug-bounty program.

"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach," acting FTC Chairman Maureen K. Ohlhausen said in a statement. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future."

Under the expanded agreement, Uber is compelled to disclose certain types of incidents involving customer data and to submit to the FTC all the reports from the required third-party audits of Uber's privacy program rather than only the initial one. Uber will further be required to retain records related to bug-bounty reports regarding vulnerabilities that involve potential or actual unauthorized access to consumer data.

My first week at Uber was the week we disclosed the 2016 breach. When [CEO] Dara Khosrowshahi joined the company, he committed on behalf of every Uber employee that we would learn from our mistakes, change the way we did business, and put integrity at the core of every decision we made. Since then we have moved quickly to do just that by taking responsibility for what happened. I am pleased that, just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts.